The hCaptcha widget can protect your applications from bots, spam, and other forms of automated abuse. Installing hCaptcha is fast and easy. It requires either adding some simple HTML and server side code, or using one of the many tools that natively support hCaptcha.
Safari: Mac os Safari12. Management Software. CE-LVD: EN62368-1 CE-EMC: Electromagnetic Compatibility Directive 2014/30/EU CE-RED: Radio Equipment Directive 2014/53/EU FCC: 47 CFR FCC Part 15, Subpart B FCC ID: FCC PART 15C. 1 channel in: 5mA 3V–5V DC. V1.5.4 Dingley Dahu (13th December 2017) v1.5.3 Purpler Unicorn with Starlight (16 October 2017) v1.5.2 Purpler Unicorn with Stars (28 August 2017) v1.5.4 Dingley Dahu (13th December 2017) v1.5.3 Purpler Unicorn with Starlight (16 October 2017) v1.5.2 Purpler Unicorn with Stars (28 August 2017) v1.5.1 Purpler Unicorn (13 July 2017).
To make integration even quicker, wrappers and plugins are available for many frameworks: Angular, Node, Express, ReactJS, VueJS, WordPress and more.
A complete list of known hCaptcha integrations is also available.
If you're already using Google's reCAPTCHA, you can use your existing code with a few slight changes. hCaptcha methods are API-compatible with reCAPTCHA methods, for example
render()
and onload()
. Custom data attributes like theme
, size
, and tab-index
are also supported in the same way by hCaptcha.Basic Principles#
You embed the hCaptcha widget on your site. For example, on a login form. The user answers an hCaptcha. They get a passcode from our server that is embedded in your form. When the user clicks Submit the passcode is sent to your server in the form. Your server then checks that passcode with the hCaptcha server API. hCaptcha says it is valid and credits your account. Your server now knows the user is not a bot and lets them log in. Pretty simple!
Content-Security-Policy Settings#
Content Security Policy (CSP) headers are an added layer of security that help to mitigate certain types of attacks, including Cross Site Scripting (XSS), clickjacking, and data injection attacks.
If you use CSP headers, please add the following to your configuration:
script-src
should includehttps://hcaptcha.com, https://*.hcaptcha.com
frame-src
should includehttps://hcaptcha.com, https://*.hcaptcha.com
style-src
should includehttps://hcaptcha.com, https://*.hcaptcha.com
connect-src
should includehttps://hcaptcha.com, https://*.hcaptcha.com
Please do not hard-code specific subdomains, like
assets.hcaptcha.com
, into your CSP: asset subdomains used may vary over time or by region.If you are an enterprise customer and would like to enable additional verification to be performed, you can optionally choose the following CSP strategy:
unsafe-eval
andunsafe-inline
should includehttps://hcaptcha.com, https://*.hcaptcha.com
Add the hCaptcha Widget to your Webpage#
hCaptcha requires two small pieces of client side code to render a captcha widget on an HTML page. First, you must include the hCaptcha javascript resource somewhere in your HTML page. The
<script>
must be loaded via HTTPS and can be placed anywhere on the page. Inside the <head>
tag or immediately after the .h-captcha
container are both fine.<scriptsrc='https://hcaptcha.com/1/api.js'asyncdefer></script>
Second, you must add an empty DOM container where the hCaptcha widget will be inserted automatically. The container is typically a
<div>
(but can be any element) and must have class h-captcha
and a data-sitekey
attribute set to your public site key.You can find your site key on your profile page.
<divclass='h-captcha'data-sitekey='your_site_key'></div>
Typically, you'll want to include the empty
.h-captcha
container inside an HTML form. When a captcha is successfully solved, a hidden token will automatically be added to your form that you can then POST to your server for verification. You can retrieve it server side with POST parameter h-captcha-response
.Here's a full example where hCaptcha is being used to protect a signup form from automated abuse. When the form is submitted, the
h-captcha-response
token will be included with the email and password POST data after the captcha is solved.<head>
<scriptsrc='https://hcaptcha.com/1/api.js'asyncdefer></script>
<body>
<inputtype='text'name='email'placeholder='Email'/>
<inputtype='password'name='password'placeholder='Password'/>
<divclass='h-captcha'data-sitekey='your_site_key'></div>
<inputtype='submit'value='Submit'/>
</body>
Verify the User Response Server Side#
![Mac Mac](https://dahuawiki.com/images/thumb/e/ec/GDMSS_PLUS_4.20-6.jpg/250px-GDMSS_PLUS_4.20-6.jpg)
Pogo the fridge mac os. By adding the client side code, you were able to render an hCaptcha widget that identified if users were real people or automated bots. When the captcha succeeded, the hCaptcha script inserted a unique token into your form data.
To verify that the token is indeed real and valid, you must now verify it at the API endpoint:
The endpoint expects a POST request with two parameters: your account secret and the
h-captcha-response
token sent from your frontend HTML to your backend for verification. You can optionally include the user's IP address as an additional security check. Do not send JSON data: the endpoint expects a standard URL-encoded form POST.A simple test will look like this:
-X POST
Note that the endpoint expects the
application/x-www-form-urlencoded
Content-Type. You can see exactly what is sent usingin the example above.
Do not use a GET request to call /siteverify. Use a POST request, and pass the parameters in the form body, not the URL.
While the endpoint may respond correctly to a GET request or to a POST request that uses URL parameters, this is not guaranteed. If the parameters you send to GET are too long, the request will fail and you will be unable to validate passcodes. Using a POST request ensures you will not have this problem.
Please note that you must call
/siteverify
with your account secret in order to be credited: this is the step in the process that associates your account with the value of that answer. You will also be unable to validate passcodes from a sitekey in one account if using a different account's secret.You can find your secret key on your profile page.
![Catcha Catcha](https://dahuawiki.com/images/f/fd/SmartPSSP2P1.png)
POST Parameter | Description |
---|---|
secret | Required. Your account secret key. |
response | Required. The verification token you received when the user completed the captcha on your site. |
remoteip | Optional. The user's IP address. |
sitekey | Optional. The sitekey you expect to see. |
Tokens can only be used once and must be verified within a short period of time after being issued. To retrieve the token on your server, use the
h-captcha-response
POST parameter submitted by your form.We recommend passing the sitekey parameter, as it will prevent tokens issued on one sitekey from being redeemed elsewhere. Depending on your difficulty settings this might have no security impact, but if you set a higher difficulty level and do not enforce sitekey matches an adversary could potentially solve an easier challenge on another sitekey, then redeem it on a harder one.
SECRET_KEY ='your_secret_key'# replace with your secret key
Dahu Captcha Mac Os Download
# Retrieve token from post data with key 'h-captcha-response'.
data ={'secret': SECRET_KEY,'response': token }
# Make POST request with data payload to hCaptcha API endpoint.
# Parse JSON from response. Check for success or error codes.
success = response_json['success']
Your POST request will receive a JSON response. You should check the
success
field and only execute your normal business logic if success
is true
. Otherwise, check the error-codes
field for a human-readable error code and return an appropriate error message to the end user.Here's what a JSON response from hCaptcha looks like:
Dahu Captcha Mac Os Catalina
'success':true|false,// is the passcode valid, and does it meet security criteria you specified, e.g. sitekey?
'challenge_ts': timestamp,// timestamp of the challenge (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
'hostname': string,// the hostname of the site where the challenge was solved
'credit':true|false,// optional: whether the response will be credited
'score': float,// ENTERPRISE feature: a score denoting malicious activity.
'score_reason':[..]// ENTERPRISE feature: reason(s) for score. See BotStop.com for details.
Please note that the credit field is not always included, and that absence of a False credit flag does not guarantee credit was earned. Some example scenarios when it may appear: site visitor is using a very old browser, or has a poorer than normal history of accuracy.
Please also note that the hostname field is derived from the user's browser, and should not be used for authentication of any kind; it is primarily useful as a statistical metric. Additionally, in the event that your site experiences unusually high challenge traffic, the hostname field may be returned as 'not-provided' rather than the usual value; all other fields will return their normal values.
These are the error codes that can be returned by the hCaptcha API:
Error Code | Description |
---|---|
missing-input-secret | Your secret key is missing. |
invalid-input-secret | Your secret key is invalid or malformed. |
missing-input-response | The response parameter (verification token) is missing. |
invalid-input-response | The response parameter (verification token) is invalid or malformed. |
bad-request | The request is invalid or malformed. |
invalid-or-already-seen-response | The response parameter has already been checked, or has another issue. |
sitekey-secret-mismatch | The sitekey is not registered with the provided secret. |
Local Development#
My only friends mac os. If you are developing on your local machine there are a few things to keep in mind.
Modern browsers have strict CORS and CORB rules, so opening a
file://URI
that loads hCaptcha will not work. Loading hCaptcha from http://localhost/
will encounter the same issue on some browsers. The hCaptcha API also prohibits localhost
and 127.0.0.1
as supplied hostnames.The simplest way to circumvent these issues is to add a hosts entry. For example:
Place this in
/etc/hosts
on Linux, /private/etc/hosts
on Mac OS X, or C:WindowsSystem32Driversetchosts
on Windows.You can then access your local server via http://test.mydomain.com, and everything will work as expected. Rusty mac os.
Integration Testing: Test Keys#
If you intend to run automated integration tests that access a live server, the simplest approach is to use the following test hCaptcha site keys that always generate a passcode without asking a question. Those passcodes can only be verified using the test secret.
The test keys provide no anti-bot protection, so please double-check that you use them only in your test environment!
Test Key Set: Publisher Account#
Test parameter | Value |
---|---|
Site Key | 10000000-ffff-ffff-ffff-000000000001 |
Secret Key | 0x0000000000000000000000000000000000000000 |
Test Key Set: Enterprise Account (Safe End User)#
Test parameter | Value |
---|---|
Site Key | 20000000-ffff-ffff-ffff-000000000002 |
Secret Key | 0x0000000000000000000000000000000000000000 |
Test Key Set: Enterprise Account (Bot Detected)#
Test parameter | Value |
---|---|
Site Key | 30000000-ffff-ffff-ffff-000000000003 |
Secret Key | 0x0000000000000000000000000000000000000000 |
Dahu Captcha Mac Os X
For hCaptcha Enterprise users, the two keypairs above will allow you to verify your application behavior in the most common score scenarios. Please contact your integration support engineers for guidance if you have additional questions.
What's next?#
Congrats! By following this guide, you now have a complete and working implementation of hCaptcha. By default, hCaptcha supports multiple widgets per page and automatic localization.
If you're interested in a more advanced implementation that involves JavasSript callbacks, explicit rendering, alternative themes, or explicit localization, check out the next section on configuration.
And if you have any issues getting hCaptcha to work on your site, or you'd like to start a pilot of our enterprise service to try out bot scores, No-CAPTCHA modes, and more, get in touch and we'll be happy to help.